Fixed uniswap AMM pool used
Summary
ExactInputSingleParams sets a fixed pool fee which fixes the uniswap AMM pool to be used. This may not be the most optimal pool for users - there may be other pools (of the same token pair but with different fees) available with higher liquidity and hence lower slippage.
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Fees.sol#L30C8-L40C16
Vulnerability Details
There are different pools of the same token pairs available in uniswap. These pools are differentiated by different fees. The TVL of each pool would be different.
For example, at the time of writing:
USDC/ETH pool @ 0.05% fees has a TVL of $268.51M
USDC/ETH pool @ 0.3% fees has a TVL of $93.21M
Pools with higher liquidity would reduce slippage for users, which could be a significant amount depending on the actual token pair/ TVL of the pool. By fixing the pool for users, it could result in loss of funds in this regard.
Impact
See above.
Tools Used
Manual review.
Recommendations
Users should be given the option to choose their own uniswap pool (i.e. input the pool fees).
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.